If the certificate in CAPI has a DN which can be distinguished from others, you can do the following, by script started through GPO or similar (here with a PowerShell example).
With this procedure it selects the string based on your pattern and connects. As the VPN client saves the last successfully used certificate for the next connect, afterwards you don't have to select it manually.
Here the parts of the script:
1. Get the list of certificates available to Check Point Client and select the right certificate by pattern:
cd C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect
$myvar=.\trac.exe list |Select-String -Pattern xyz
2. Fetch the DN String from this Output:
$dnstring = $myvar.ToString().Trim()
3. Connect to the Site using the DN and disconnect afterwards:
.\trac.exe connect -s "<sitename>" -d $dnstring
.\trac.exe disconnect